b'\x0c\x0c            Smithsonian Institution\n            Office of the Inspector General\n\n\n            In Brief                              Development and Membership\n                                                  Information System\n                                                  Report Number A-06-08, May 16, 2007\n\n\nWhy We Did This Evaluation           What We Found\n\nThe Federal Information Security     The Development and Membership Information System (DMIS) is a commercial\nManagement Act of 2002               off-the-shelf information system application that is used by the Office of\n(FISMA) directs the Office of the    Development and staff across the Institution to support constituency research,\nInspector General to annually        gift recording, membership, and other related development services. The data in\nevaluate the information security    DMIS is confidential because it contains information relating to Smithsonian\nprogram of the Institution. The      Institution donors, prospects, and members.\nInstitution voluntarily complies\nwith FISMA requirements              We identified several areas in which adequate controls have not been documented\nbecause it is consistent with its    and put in place. For instance, standard security configuration baselines have not\nstrategic goals. FISMA outlines      been implemented and account administration controls are weak. As a result of\nfederal information security         failing to implement standard configuration baselines, many areas of weakness\ncompliance criteria, including the   exist that would likely have been addressed or mitigated had one been\nrequirement for a review of a        implemented.\nsubset of systems as part of the\nannual independent assessment        Regarding account administration controls, we found that Administrators are\nby the Institution\xe2\x80\x99s Inspector       logging into the system through a shared Administrator account rather than\nGeneral. This report covers the      having each user assigned an individual ID so that server actions can be tracked\nevaluation of the DMIS technical     and user accountability can be established. The use of shared or group accounts\nsecurity controls and supports the   minimizes or eliminates the effectiveness of audit trails, because actions cannot be\nSmithsonian Institution Office of    tied back to a single individual. Individuals who use group accounts or share a\nthe Inspector General (OIG)          single ID could potentially perform unauthorized or inappropriate activities\nannual FISMA evaluation of the       within the system that could not be tied back to them.\ninformation security controls\nimplemented by the Institution.      Without adequate procedures to ensure that configuration baselines are in place\n                                     over the Institution\xe2\x80\x99s major information systems or account administration\nWhat We Recommended                  controls are implemented, the confidentiality, availability, and integrity of\n                                     Institution systems and related data may be at greater risk than management is\nWe made recommendations to           willing to accept.\nstrengthen the confidentiality,\navailability, and integrity of the\ninformation on DMIS and to\nenhance audit trails and user\naccountability.\n\nManagement fully concurred with\nthe report findings and\nrecommendations. Management\nhas planned or taken action that\nwill mitigate the identified\nweaknesses.\n                                     For additional information or a copy of the full report, contact the Office of\n                                     the Inspector General at (202) 633-7050 or visit http://www.si.edu/oig.\n\x0c                               REPORT ON REVIEW OF\n                                 FISCAL YEAR 2006\n                  DEVELOPMENT AND MEMBERSHIP INFORMATION SYSTEM\n                             SMITHSONIAN INSTITUTION\n                         OFFICE OF THE INSPECTOR GENERAL\n\n\n\n\nCotton & Company LLP\nAuditors \xc2\xb7Advisors\n635 Slaters Lane, 4th Floor\nAlexandria, Virginia 22314\nwww.cottoncpa.com\n\x0c                                              CONTENTS\n\nSection                                                                     Page\nPurpose                                                                      1\n\nBackground                                                                   1\n\nObjectives, Scope and Methodology                                            2\n\nSummary of Results:\n   1. Standard Security Configuration Baselines have not Been Implemented    4\n   2. DMIS Account Administration Controls are Weak                          5\n\n   Summary of Management Response                                            6\n\n   Office of the Inspector General Comments                                  6\n\nAppendix \xe2\x80\x93 Management Response                                               7\n\x0c                                  REPORT ON REVIEW OF\n                                    FISCAL YEAR 2006\n                     DEVELOPMENT AND MEMBERSHIP INFORMATION SYSTEM\n                                SMITHSONIAN INSTITUTION\n                            OFFICE OF THE INSPECTOR GENERAL\n\n\nCotton & Company LLP conducted an audit of the Smithsonian Institution\xe2\x80\x99s Development and\nMembership Information System (DMIS) technical security controls in support of the Office of the\nInspector General\xe2\x80\x99s overall responsibilities related to Title III of the 2002 E-Government Act, also known\nas the Federal Information Security Management Act.\n\nPURPOSE\n\nThe E-Government Act of 2002 (Pub. L. No. 107-347), which includes Title III, the Federal Information\nSecurity Management Act of 2002 (FISMA), was enacted to strengthen the security of federal\ngovernment information systems. Although the E-Government Act of 2002 does not apply to the\nInstitution, the Institution supports the information security practices required by the Act because they are\nconsistent with and advance the Institution\xe2\x80\x99s mission and strategic goals.\n\nFISMA outlines federal information security compliance criteria, including the requirement for an annual\nindependent assessment by the Institution\xe2\x80\x99s Inspector General. This report covers the evaluation of the\nDMIS technical security controls and supports the Smithsonian Institution Office of the Inspector\nGeneral (OIG) annual FISMA evaluation of the information security controls implemented by the\nInstitution.\n\nBACKGROUND\n\nFISMA, Office of Management and Budget (OMB) regulations, and National Institute of Standards and\nTechnology (NIST) guidance outline minimum security requirements for federal information security\nprograms. These include:\n\n     \xe2\x80\xa2 Annual System Self-Assessments. NIST\xe2\x80\x99s Security Self Assessment Guide for Information\n       Technology Systems contains specific control objectives and techniques against which a system\n       can be tested and measured. Performing a self-assessment and mitigating any of the weaknesses\n       found in the assessment is an effective way to determine if the system or the information it\n       contains is adequately secured and protected from loss, misuse, unauthorized access, or\n       modification. OMB guidelines require organizations to use the NIST self-assessment tool\n       annually to evaluate each of their major systems.\n\n     \xe2\x80\xa2 Certification and Accreditation. NIST\xe2\x80\x99s Guide for the Security Certification and Accreditation\n       of Federal Information Systems states that systems should be certified and accredited. A\n       certification is \xe2\x80\x9ca comprehensive assessment of management, operational, and technical security\n       controls in an information system, made in support of security accreditation, to determine the\n       extent to which the controls are implemented correctly, and operating as intended.\xe2\x80\x9d NIST\n       guidance also discusses system accreditation, which is \xe2\x80\x9cthe official management decision to\n       authorize operation of an information system and to explicitly accept the risk to operations,\n       assets, or individuals based on the implementation of the agreed-upon set of security controls.\xe2\x80\x9d\n       Organizations should use the results of the certification to reassess their risks and update system\n       security plans to provide the basis for making security accreditation decisions.\n                                                    1\n\x0c    \xe2\x80\xa2 System Security Plan. NIST\xe2\x80\x99s Guide for Developing Security Plans for Information Technology\n      Systems requires that all major application and general support systems be covered by a security\n      plan. The plan provides an overview of the security requirements of a system and describes\n      controls in place or planned for meeting those requirements. Additionally, the plan defines\n      responsibilities and the expected behavior of all individuals accessing the system. The NIST\n      guide also instructs that the security plan should describe the management, operational, and\n      technical controls the organization has implemented to protect the system. Among other things,\n      these controls include user identification and authentication procedures, contingency/disaster\n      recovery planning, application software maintenance, data validation, and security awareness\n      training.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nOn behalf of the OIG, Cotton & Company performed an independent audit of DMIS. We conducted this\naudit in accordance with Generally Accepted Government Auditing Standards, 2006 Revision,\npromulgated by the Comptroller General of the United States. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence that provides a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives. This report is intended to\nmeet the objectives described below and should not be used for other purposes.\n\nDMIS, a commercial off-the-shelf application based on the Sage Software product \xe2\x80\x9cMillennium,\xe2\x80\x9d is used\nby the Office of Development and staff across the Institution to support, manage, and control constituency\nresearch, gift recording, membership, and other related development services. DMIS information is\nconfidential, because it contains names and addresses of donors, prospects and members, and in some\ncases credit card information. It also contains confidential information about interactions with donors,\nprospects, and members and other giving information.\n\nThe objectives of this independent audit were to evaluate and report on the existence and effectiveness of\ntechnical security controls over DMIS and to determine if baselines had been adequately documented and\nimplemented over the DMIS operating system and database. To accomplish these objectives, we\nperformed detailed reviews of the DMIS Oracle (Oracle 9i) database and Windows 2003 server\nsupporting the database. In addition, we performed a high-level review of available certification and\naccreditation (C&A) documentation, including the DMIS:\n\n        \xe2\x80\xa2       System Security Plan\n        \xe2\x80\xa2       Plan of Action and Milestones (POA&M)\n        \xe2\x80\xa2       Risk Assessment\n        \xe2\x80\xa2       Certification and Accreditation Letters\n        \xe2\x80\xa2       Documented NIST SP 800-53 Mandatory Controls\n\nFor the Oracle database, we conducted interviews with the DMIS project manager and database\nadministrator and performed a security configuration review of the DMIS Oracle 9i database that serves\nas the back-end for the application. We conducted the database review in two phases.\n\n        \xe2\x80\xa2       In the first phase, we reviewed OCIO\xe2\x80\x99s Oracle security baseline, Security Settings for\n                Oracle Servers. This document outlines recommended security settings for Oracle\n                database installations at the Institution.\n\n                                                     2\n\x0c        \xe2\x80\xa2       In the second phase, we compared the current security configuration of the DMIS Oracle\n                9i database to baselines from the Institution and the Center for Internet Security\xe2\x80\x99s (CIS)\n                Oracle benchmark. We also reviewed the DMIS baseline configuration using an\n                automated database scanning tool (AppDetective).\n\nDMIS consists of four Windows servers: web server, database server, reporting server, and document\nserver. Our review focused on the database server\xe2\x80\x99s operating system running Windows 2003. Audit\nprocedures consisted of interviewing the DMIS project manager and server administrator and completing\na detailed configuration review of the server\xe2\x80\x99s operating system.\n\nFinally, we reviewed DMIS C&A documentation as part of the overall FISMA evaluation to determine if\nit complied with Institution, NIST, and OMB criteria in content and form. At a high level we compared\nthe DMIS system security plan to NIST Special Publication (SP) 800-18, Developing Security Plans for\nInformation Technology Systems and OMB Circular A-130, Appendix III, Security of Federal Automated\nInformation Resources to verify key requirements were being addressed.\n\nIn addition, we compared the DMIS POA&M to the Institution\xe2\x80\x99s Technical Standard and Guidelines, IT-\n930-01; NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Process;\nOMB Circular A-130, Appendix III; and OMB Memorandum M-02-01, Guidance for Preparing and\nSubmitting Security Plans of Action and Milestones.\n\nRESULTS\n\nDMIS received re-authorization to operate in August 2006 after completion of a formal recertification and\nreaccredidation process. As a result of the re-authorization, management updated the DMIS system\nsecurity plan, POA&M, and other supporting documentation which were reviewed during the overall\nFISMA evaluation (see OIG\xe2\x80\x99s FY 2006 FISMA Audit of the Smithsonian Institution\xe2\x80\x99s Information\nSecurity Program, Audit Report Number A-06-05). Although our overall review of the Institution\xe2\x80\x99s C&A\ndocumentation did not identify any significant issues with the C&A process or more specifically the\nDMIS C&A documentation, we did identify two issues in the overall FISMA evaluation report which\nwere in part supported by DMIS weaknesses and made recommendations on those issues.\n\nSpecifically, as noted in the FY2006 FISMA evaluation report, the DMIS system security plan did not\ninclude or make reference to common security controls; however, these controls were identified in a\nseparate document. Additionally, the report noted that controls were not adequate to ensure standard\nsecurity configuration baselines had been implemented on the Institution\xe2\x80\x99s major applications in\naccordance with Institution policy. In fact, DMIS was an example of a system on which baselines were\nnot implemented.\n\nThis report documents the results of technical testing conducted on the DMIS Windows operating system\nand Oracle database which support the DMIS web server as well as our associated recommendations. We\nnoted several areas in which adequate controls have not been documented and put in place. For instance,\nstandard security configuration baselines have not been implemented, and account administration controls\nare weak.\n\n\n\n\n                                                    3\n\x0cStandard Security Configuration Baselines Have Not Been Implemented\n\nNIST SP 800-70, Security Configuration Checklists Program for IT Products, states:\n\n        A security configuration checklist (sometimes called a lockdown or hardening guide or\n        benchmark) is in its simplest form a series of instructions for configuring a product to a\n        particular security level (or baseline)\xe2\x80\xa6.The use of well-written, standardized checklists\n        can markedly reduce the vulnerability exposure of IT products. Checklists may be\n        particularly helpful to small organizations and individuals that have limited resources for\n        securing their systems.\n\nThe Institution\xe2\x80\x99s OCIO had developed, documented, and posted on the Institution\xe2\x80\x99s intranet baselines for\nuse by system owners when configuring their systems. In addition, OCIO developed and documented\nIT-960-TN16, which states:\n\n        System owners must use established OCIO baseline build documents and obtain the\n        appropriate approvals prior to installing or updating the operating system for application,\n        database, and web servers to be placed on SInet.\n\nThe Institution\xe2\x80\x99s standard security configuration baselines have not been implemented. Individuals\nresponsible for administration of DMIS were aware of the standard security configuration baselines\ndistributed by OCIO and had included them in the DMIS POA&M as a weakness. Our review of the\nDMIS POA&M noted that management identified timelines for implementing the baselines, as follows:\n\n                      Reporting Server:        September 30, 2006\n                      Document Server:         December 31, 2006\n                      Database Server:         March 31, 2007\n                      Web Server:              June 30, 2007\n\nFurther, these baselines have not been implemented as of the date of this report. As a result of failing to\nimplement standard configuration baselines, many areas of weakness exist that would likely have been\naddressed or mitigated with the implementation of a standard security configuration baseline:\n\n        \xe2\x80\xa2       The latest patchset had not been applied.\n        \xe2\x80\xa2       Strong database password controls have not been implemented.\n        \xe2\x80\xa2       Database-level auditing controls have not been enabled.\n\nIn addition, our review of the Windows 2003 server supporting the Oracle database identified weaknesses\nin the following areas, which again would likely have been addressed or mitigated if a standard security\nconfiguration baseline were in place over that server:\n\n        \xe2\x80\xa2       Strong OS password controls have not been implemented.\n        \xe2\x80\xa2       OS-level logging and auditing controls have not been implemented.\n        \xe2\x80\xa2       Security policies are weak.\n        \xe2\x80\xa2       File and registry permissions are not configured appropriately.\n        \xe2\x80\xa2       Unnecessary services are identified as running on the server.\n\nWithout adequate procedures to ensure that configuration baselines are in place over the Institution\xe2\x80\x99s\nmajor information systems, the confidentiality, availability, and integrity of Institution systems and\nrelated data may be at greater risk than management is willing to accept.\n\n                                                      4\n\x0c        1. We recommend the DMIS System sponsor/owner promptly implement standard security\n           configuration baselines for the DMIS Oracle database and for each server supporting DMIS,\n           as soon as practicable. In addition, the DMIS system sponsor/owner should document on the\n           baseline where recommended security controls have not been implemented and provide valid\n           business reasons, and include the completed baseline in the system security plan as part of the\n           C&A package.\n\nDMIS Account Administration Controls Are Weak\n\nControls are not adequate to ensure that individuals logging into the DMIS Windows 2003 server are\nlogging in through individual accounts specifically assigned to them. Administrators are logging into the\nsystem through a shared Administrator account rather than having each user assigned an individual ID so\nthat server actions can be tracked and user accountability can be established.\n\nSmithsonian Directive (SD) 931, Use of Computers and Networks \xe2\x80\x93 Required Safeguards, states:\n\n        To protect Smithsonian equipment and data, users are required to use safeguards that\n        include - Prohibiting system administrators from establishing group accounts controlled\n        by a single password.\n\nIn addition, Technical Standard and Guideline IT-930-02, Security Controls Manual, Section 3.1.1.2,\nUser IDs, states:\n\n        User IDs must be unique to an individual; no group user ID\xe2\x80\x99s are permitted. This control\n        is essential for ensuring user accountability. System administrators will ensure that\n        contractor and other non-staff personnel (e.g. interns and volunteers) have individual\n        accounts and that these accounts are either set to expire at the end of the contract or\n        internship, or that they are reviewed annually on the anniversary date of the establishment\n        of the account to ensure that there is still a legitimate need for the account. Technical\n        Note IT-960-TN10 specifies the procedures for User Creation Guidelines.\n\nFurther, Section 3.1.1.4, Generic or Group IDs, states:\n\n        User accounts and ID\xe2\x80\x99s must be unique to an individual. No group or shared accounts are\n        permitted.\n\nThe use of shared or group accounts minimizes or eliminates the effectiveness of audit trails, because\nactions cannot be tied back to a single individual. Individuals who use group accounts or share a single ID\ncould potentially perform unauthorized or inappropriate activities within the system that could not be tied\nback to them.\n\nRecommendation\n\n        2. We recommend the DMIS system sponsor/owner require administrators to log into DMIS in\n           accordance with Institution policy using individual accounts to enhance audit trails and user\n           accountability.\n\n\n\n\n                                                    5\n\x0cSummary of Management Response\n\nManagement\xe2\x80\x99s April 19, 2007, response to our draft report concurred with both recommendations to\nstrengthen the confidentiality, availability, and integrity of the information on DMIS and to enhance audit\ntrails and user accountability. The Director, Office of External Affairs agreed to fully implement standard\nsecurity configuration baselines within six months of receiving the latest operational release of Blade\nLogic (a software delivery and configuration utility used for Windows servers) from OCIO. Management\nalso stated that it had established individual administrator accounts and that they were being used to\nenhance audit trails and user accountability. The full text of management\xe2\x80\x99s response is included in the\nAppendix.\n\nOffice of the Inspector General Comments\n\nManagement has planned and taken actions that respond to our recommendations, and we consider them\nresolved. In evaluating management\xe2\x80\x99s response to this report, we conferred with the IT Security Director\nand determined that the new version of Blade Logic was due to be released in July 2007. Therefore, we\nhave established a target completion date for Recommendation 1 as January 31, 2008, 6 months from the\ndate of the release. Additionally, OCIO should ensure that the POA&M is updated with the revised\ncompletion data as well.\n\nWe appreciate the courtesy and cooperation of Smithsonian representatives during this evaluation. If you\nhave any questions concerning this report, please call me or Stuart Metzger at (202) 633-7050.\n\n\n\n\n                                                     6\n\x0cAppendix \xe2\x80\x93 Management Response\n\n\n\n\n                                 7\n\x0c'